Chapter 2. New features and enhancements

Technology Preview: Azure Pipelines is now supported

You can now choose Azure Pipelines as your CI provider. You can integrate Azure Pipelines during the RHTAP installation, otherwise, RHTAP defaults to Tekton. This feature is available as a Technology Preview, and it is not fully supported, may not be functionally complete, and is not intended for production use.

Single secret for image registry authentication is now enabled

Previously, RHTAP stored secrets for each container image registry separately. With this release, secrets values can now be merged into a single unified rhtap-image-registry-auth secret, and you can use this secret for image registry authentication.

Non-sensitive environment variables are no longer treated as secrets

Previously, RHTAP treated all CI environment variables as secrets. As a result, non-sensitive values were masked and had limited visibility. With this release, non-sensitive environment variables aren’t stored as secrets, and their values are easily accessible in the UI and logs. The following variables are no longer secrets:

Permissions for the rhdh-kubernetes-plugin ServiceAccount have been restricted

Previously, the rhdh-kubernetes-plugin ServiceAccount (SA) used by Red Hat Developer Hub to integrate with OCP had cluster-wide permissions. To improve security, the SA access has been limited to only the namespaces created by rhtap-app-namespaces and to resources required by the RHDH plugins. A new ClusterRole has been created and bound to the rhdh-kubernetes-plugin ServiceAccount to manage the permissions.

Red Hat Quay robot account is now supported

In earlier versions, RHTAP used a Quay superuser account to access an image registry, which could increase the risk of credentials exposure. To enhance security, this release introduces support for Red Hat Quay robot accounts. To learn more about these accounts, refer to the Red Hat Quay Robot Account overview docs.

Creating and customizing namespaces on RHDH is now supported

The redhatDeveloperHub section of the config.yaml file now has a new namespacePrefixes property. By configuring it, platform engineers can create and set up new namespaces for developers, as well as customize namespaces prefixes. The default prefix is rhtap-app. To customize namespaces, refer to Customizing namespaces prefixes in config.yaml

New manageSubscription property manages which Operator subscriptions RHTAP installs

During the RHTAP installation, the installer deploys multiple products onto your OCP cluster using OpenShift Operators. In previous releases, if you already had these Operators installed, the RHTAP installation could fail. This release adds a new manageSubscription property in the config.yaml file. This property allows you to choose which Operators the installer should install and subscribe to during the RHTAP installation. By default, this property is set to true for all components. To change this behavior, refer to Managing Operator subscriptions in RHTAP.

RBAC is now available for GitHub authentication

RHTAP now supports the Role-Based Access Control (RBAC) for GitHub authentication. The feature is available through a RHDH plugin that is installed in RHDH but is disabled by default. To enable the RBAC plugin, modify the config.yaml file as described in Enabling RBAC in config.yaml. To learn more about RBAC, refer to Configuring authorization by using RBAC.

Deploying a single Helm chart dependency is now supported

You can now deploy or upgrade an individual Helm chart dependency by passing the chart path to the rhtap-cli deploy command, for example rhtap-cli deploy charts/rhtap-dh. This feature allows to update a single component to a newer version without redeploying all RHTAP components.

RHACS integration with Quay is now automated

Previously, after installing RHTAP, you needed to additionally integrate Red Hat Advanced Cluster Security with the Quay image registry. With this release, manual integration is no longer required if at least one of these components is deployed by the RHTAP installer. The integration is now performed by the rhtap-integrations chart which is executed after all products have been deployed.

rhtap-cli integration gitlab now has a new --group flag

The rhtap-cli integration gitlab command now has a new mandatory --group flag. When you integrate GitLab, you can specify a target GitLab group, and thus limit RHTAP access to only that group’s resources. To learn more about GitLab integration, refer to the GitLab section in the RHTAP Installation guide.

CI and development workloads are now separated

CI and development workloads are now deployed in separate namespaces. Previously, the development application ran in the same namespace as the CI components and had access to CI-related secrets. This release separates the CI and development workloads and limits credentials exposure. This change also brings consistency across environments, because the configuration of the development namespace and other deployment namespaces is now identical.

RHDH and GitOps workloads are now separated

Red Hat Developer Hub and GitOps components are now deployed in separate namespaces. This separation brings improved workload management and resource allocation.